Security association and location mapping decoupling in overlay networks

ABSTRACT

A first map request message is sent from a source network device to a mapping network device to determine a destination network device associated with a destination endpoint device and a security association between the source network device and the destination network device. A first response message is received at the source network device that includes data indicating a mapping between the destination network device and the destination endpoint device and data indicating a security association between the source network device and the destination network device. The data is stored at the source network device. A second map request message is sent from the source network device to the mapping network device to update the data indicative of the mapping or the security association. A second response message is received at the source network device from the mapping network device.

TECHNICAL FIELD

The present disclosure relates to routing of network traffic in overlaynetworks.

BACKGROUND

The Locator Identifier Separation Protocol (LISP) provides improvedrouting scalability and facilitates flexible address assignment formulti-homing, provider independence, mobility, and virtualization. LISPoffers an alternative to traditional network architectures byintroducing two separate Internet Protocol (IP) addresses: one toindicate routing locators (RLOCs) for routing traffic through thenetwork and a second address for endpoint identifiers (EIDs) used toidentify network sessions between devices.

Routers in LISP implementations utilize mapping caches that providemappings between an EID and the RLOC through which an endpoint accessesthe network. LISP implementations may also provide for mapping systems,sometimes implemented on standalone servers or distributed across aplurality of servers, which register and maintain a database of EID andRLOC associations. The mapping system accepts map request messages fromrouters when a router needs to send traffic to a particular EID but isunaware of the RLOC associated with the EID. The mapping system repliesto the map request messages by providing the RLOC associated with an EIDidentified in the map request message.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an illustration of a first network environment configured toemploy the location mapping and security association decouplingtechniques as described herein, according to an example embodiment.

FIG. 2 is an illustration of the network environment furtherillustrating the transmission of traffic through the network as enabledby the location mapping and security association decoupling techniquesas described herein, according to an example embodiment.

FIG. 3 is an illustration of the network environment depicting a processfor updating map cache values independently from security associationcache values through the location mapping and security associationdecoupling techniques as described herein, according to an exampleembodiment.

FIG. 4 is an illustration of the network environment further depicting aprocess for updating map cache values and security association valuesthrough the location mapping and security association decouplingtechniques as described herein, according to an example embodiment.

FIG. 5 is an illustration of the network environment depicting a secondprocess for updating map cache values independently from securityassociation cache values through the location mapping and securityassociation decoupling techniques as described herein, according to anexample embodiment.

FIG. 6 is an illustration of the network environment depicting a processfor updating security association cache values through the locationmapping and security association decoupling techniques as describedherein, according to an example embodiment.

FIG. 7 is an illustration of the network environment implementing thelocation mapping and security association decoupling techniques asdescribed herein for multicast traffic, according to an exampleembodiment.

FIG. 8 is an illustration of the network environment implementing thelocation mapping and security association decoupling techniques asdescribed herein across multiple network domains, according to anexample embodiment.

FIG. 9 is a flowchart illustrating a first process flow for implementingthe location mapping and security association decoupling techniques asdescribed herein, according to an example embodiment.

FIG. 10 is a flowchart illustrating a second process flow forimplementing the location mapping and security association decouplingtechniques as described herein, according to an example embodiment

FIG. 11 is a block diagram of an apparatus configured to perform thetechniques described herein, according to an example embodiment.

DESCRIPTION OF EXAMPLE EMBODIMENTS Overview

Briefly, mechanisms and network implementations are presented hereinthat provide for security association and location mapping decoupling inoverlay networks. In one embodiment, a first map request message is sentvia a network from a source network device to a mapping network deviceto determine a mapping between a destination network device and adestination endpoint device, and to determine a security associationbetween the source network device and the destination network device. Afirst response message is received at the source network device. Thefirst response message includes data indicative of the mapping betweenthe destination network device and the destination endpoint device, anddata indicative of the security association between the source networkdevice and the destination network device. The data indicative of themapping between the destination network device and the destinationendpoint device is stored at the source network device, as is the dataindicative of the security association between the source network deviceand the destination network device. A second map request message is sentfrom the source network device to update the stored data indicative ofthe mapping between the destination network device and the destinationendpoint device or the stored data indicative of the securityassociation between the source network device and the destinationnetwork device. A second response message in response to the second maprequest message is received at the source network device. One of thestored data indicative of the mapping between the destination networkdevice and the destination endpoint device or the stored data indicativeof the security association between the source network device and thedestination network device is updated independently from another of thestored data indicative of the mapping between the destination networkdevice and the destination endpoint device or the stored data indicativeof the security association between the source network device and thedestination network device.

According to another embodiment, a first map request message is sent viaa network from a source network device to a mapping network device todetermine a mapping between a destination network device and adestination endpoint device, and to determine a security associationbetween the source network device and the destination network device. Afirst response message is received at the source network device. Thefirst response message includes data indicative of the mapping betweenthe destination network device and the destination endpoint device anddata indicative of the security association between the source networkdevice and the destination network device. Data indicative of themapping between the destination network device and the destinationendpoint device is stored at the source network device, as is dataindicative of the security association between the source network deviceand the destination network device. The data indicative of the mappingbetween the destination network device and destination endpoint deviceis updated after a first duration. The data indicative of the securityassociation between the source network device and the destinationnetwork device is updated after a second duration different than thefirst duration.

Example Embodiments

With reference now made to FIG. 1, depicted therein is a networkenvironment 100 in which endpoints 105 and 110 are configured to accessnetwork 100 via routers 120, 125 and 130. Each of routers 120, 125 and130 may serve as border routers for network 100. Similarly, routers 120,125 and 130 may serve as tunnel routers, either egress or ingress tunnelrouters, for packets sent through network 100. Network 100 may beembodied as a campus fabric network that implements a logical or virtualoverlay network. A logical or virtual overlay network is a network inwhich a logical structure is applied to an underlying physical networkinfrastructure. For example, network 100 may be a Software DefinedNetwork (SDN) that provides Software Defined Access (SDA). SDA networksleverage virtual network overlays in order to support mobility,segmentation and programmability at very large scale.

Within network 100, one or more of endpoints 105 and 110 may be mobile,and therefore, endpoints 105 and 110 may move between routers 120, 125and 130. Due to this mobility, network 100 includes mapping system 135.Mapping system 135 provides mappings between endpoints and the routersthrough which the endpoints access network 100. When endpoint 105 sendstraffic to endpoint 110, endpoint 105 addresses a packet to endpoint 110and transmits it to router 120. Router 120 includes a map cache 140populated via mapping system 135. Map cache 140 stores a mapping betweenthe routers 120, 125 and 130 and the endpoints attached to the routers.Accordingly, when router 120 receives the packet from endpoint 105addressed to endpoint 110, router 120 will utilize map cache 140 todetermine where to send the packet.

According to specific example embodiments, routers 120, 125 and 130, mayimplement the Locator Identifier Separation Protocol (LISP). In suchembodiments, network devices (i.e., devices that provide for the routingsystem within network 100) are provided with routing locators (RLOCs).Endpoint devices (i.e., devices that utilize the network but that arenot part of the network infrastructure) are assigned endpointidentifiers (EIDs). While both of RLOCs and EIDs may use the same typeof identifier, such as an Internet Protocol (IP) address associated withthe respective devices, the functions for which EIDs and RLOCs are usedare different. In LISP, RLOCs are used for routing traffic through thenetwork (i.e., network 100) and EIDs used to identify network sessionsbetween devices. In other words, when traffic is sent through network100, RLOCs are used to route the traffic to the appropriate routerthrough which the endpoints access network 100, and the EIDs are used bythe routers to deliver the traffic to the appropriate endpoint.Therefore, in example embodiments of network 100 in which LISP isimplemented, map cache 140 stores mappings between RLOCs and EIDs sothat router 120 may utilize map cache 140 to determine which RLOC to useto forward the traffic to so that the traffic arrives at the router thatservices the appropriate endpoint.

When using map cache 140, router 120 determines if map cache 140contains an entry associated with the address (e.g., EID)) for endpoint110 indicated in the packet sent by endpoint 105. If such an entryexists, router 120 encapsulates the packet with encapsulation of adestination address (e.g., RLOC) of the router through which endpoint110 accesses network 100. In the example of FIG. 1, that router would berouter 125. Network 100 is also configured to provide encryption fortraffic sent between routers 120, 125 and 130. To facilitate thisencryption, security association cache 150 is provided to store dataindicative of encryption keys associated with routers, and these keysare used when sending traffic through network 100. As will be describedbelow, the process illustrated in FIG. 1 generates pairwiseunidirectional keys between the router serving as the access point forendpoint 105 (i.e., a source network device or source network router)and the router serving as the access point for the destination endpoint110 (i.e., a destination network device or destination router).Accordingly, if either of routers 120 or 125 is compromised, theattacker only gains visibility on the traffic that goes through thatrouter.

If map cache 140 lacks an entry associated with endpoint 110, mappingsystem 135 may be used to determine the router through which endpoint110 accesses network 100. Accordingly, map request message 155 is sentto mapping system 135. Map request message 155 is configured to populateboth map cache 140 and security association cache 150. Because both mapcache 140 and security association cache 150 are empty, map requestmessage 155 is configured to populate both caches with data necessary totransmit traffic through network 100 between endpoint 105 and endpoint110. Accordingly, map request message 155 is augmented with metadataused to establish a security association between router 120 andwhichever router is identified by mapping system 135 as being associatedwith endpoint 110.

As illustrated in FIG. 1, mapping system 135 maintains a mappingdatabase 160 that contains/stores a mapping between endpoints and therouters through which the endpoints access network 100. In LISPembodiments, these mappings represent mappings between EIDs and RLOCs.Mapping system 135 may be configured to respond directly to mappingrequests by sending the appropriate mapping for endpoint 110 directly torouter 120. A different approach is taken in the example embodimentillustrated in FIG. 1 because there are no security association entriesin security association cache 150, and therefore, router 120 may beconfigured to determine a security association for traffic betweenendpoint 105 and 110 at the time it establishes the mapping for endpoint110.

In order to populate security association cache 150 as well as mappingcache 140 and in response to message 155, mapping system 135 sends amessage 165 to the router through which endpoint 110 connects to network100, in this case, router 125. Message 165 contains data indicative ofendpoint 110, indicative of router 120 (i.e., the router that requeststhe mapping), and indicative of the key that will be used to encrypttraffic between router 120 and 125. Based upon message 165, router 125will update its security association cache 170 to include dataindicative of the encryption key and router 120. This data in securityassociation cache 170 will permit router 125 to decrypt traffic receivedfrom router 120 and also encrypt traffic sent to router 120. Accordingto other example embodiments, mapping system 135 will forward message155 to router 125 as message 165. Because message 155 was augmented withmetadata used to establish a security association between router 120 androuter 125, message 165 includes data used to establish the securityassociation between router 120 and router 125.

Router 125 also sends message 175 to router 120. Contained withinmessage 175 is data that enables router 120 to populate both of mappingcache 140 and security association cache 150. In embodiments in whichmapping system 135 provided the necessary security association to router125 via message 165, message 175 includes data indicative of router 125as the router through which endpoint 110 connects to network 100 as wellas data indicative of the key provided by mapping system 135 that willenable routers 120 and 125 to encrypt and decrypt traffic sent betweenthe two routers. In example embodiments in which mapping system 135forwards message 155 to router 125 as message 165, message 175 initiatesan exchange between router 125 and router 120 that permits the networkdevices to establish the security association therebetween. With thesecurity association established, security association cache 150 may bepopulated with data indicative of the key that will enable routers 120and 125 to encrypt and decrypt traffic sent between the two routers.

With mapping cache 140 and security association cache 150 populated,router 120 is enabled to send traffic through network 100 to endpoint110. Accordingly, an example of such traffic transmission is illustratedin FIG. 2.

With reference made to FIG. 2, endpoint 105 generates packet 205 fortransmission to endpoint 110. Packet 205 includes a destination address205 a indicative of endpoint 110, a source address 205 b indicative ofendpoint 105, and a payload 205 c. Based upon packet 205, router 120generates packet 210 based upon the contents of mapping cache 140.Packet 210 encapsulates the content of packet 205 with a VirtualExtensible Local Area Network (VXLAN) header 210 a; a DifferentiatedServices Code Point (DSCP) identifier, a VXLAN network identifier (VNI),and a Security Group Tag (SGT) in portion 210 b; a User DatagramProtocol (UDP) header 210 c, a source address 210 d indicating router120; and a destination address 210 e indicating router 125. Encryption210 f is applied to the VXLAN header 210 a and to the contents of packet205 using the contents of security association cache 150. Packet 210 isthen transmitted through network 100.

Upon receipt at router 125, encryption 210 f may be decrypted accordingto the contents of security association cache 170, and the encapsulationapplied by router 120 is stripped by router 125. The underlying packetis then forwarded to endpoint 110 as packet 215, essentially recreatingpacket 205 initially sent by endpoint 105 to router 120. Accordingly,the process illustrated in FIG. 1 enables router 120 to populate mapcache 140 and security association cache 150, and transmit trafficbetween endpoints through network 100, as illustrated in FIG. 2.

According to the techniques described herein, the updating or refreshingof map cache 140 and security association caches 150 and 170 may takeplace through different processes. For example, if one endpoint 110 isembodied as a mobile device, such as a laptop computer, a smartphone, ora tablet computer, the mapping between the endpoint 110 and the routerthrough which it accesses network 100 may be updated very frequently,such as on an order of seconds or minutes. On the other hand, encryptionkeys may not be updated with such frequency. Furthermore, multipleendpoints may access network 100 through the same router. By providingseparate caches for the mappings and security associations, and updatingthe caches on different schedules, the security associations may beutilized for multiple endpoints. Illustrated in FIG. 3 is a process forupdating map cache 140 independently from security association cache150.

As illustrated in FIG. 3, both map cache 140 and security associationcache 150 contain entries. Accordingly, unlike the process in FIG. 1, itmay be the case that router 120 already contains a security associationbetween router 120 and the router through which endpoint 110 connects tonetwork 100. Therefore, router 120 sends map request message 355 that isconfigured to cause mapping system 135 to respond directly to router 120with map reply message 360. If map reply message 360 indicates thatendpoint 110 accesses network 100 via router 125, then no further actionis required because security association cache 150 contains entry 150 athat provides the key necessary to encrypt traffic between router 120and router 125. As illustrated in FIG. 3, endpoint 110 accesses network100 via router 125, and this mapping is indicated in map reply message360. Traffic sent from endpoint 105 to endpoint 110 may then betransmitting through network 100 according to the process illustrated inFIG. 2.

With reference now made to FIG. 4, illustrated therein is an alternativeto the process illustrated in FIG. 3, in which endpoint 110 no longerconnects to network 100 via router 125, and instead connects to network100 via router 130. Similar to the process of FIG. 3, router 120 sendsmap request message 455 that is configured to cause mapping system 135to respond directly to router 120 with map reply message 460. If mapreply message 460 indicates that endpoint 110 accesses network 100 viarouter 125, then no further action is required because securityassociation cache 150 contains entry 150 a that provides the keynecessary to encrypt traffic between router 120 and router 125. Asillustrated in FIG. 4, endpoint 110 no longer accesses network 100 viaendpoint 130 but instead accesses network 100 via router 130. Based uponmap reply message 460, router 120 will update map cache 140 to indicatethe mapping between endpoint 110 and router 130. As illustrated in FIG.4, entry 140 a will be updated to reflect data as illustrated in entry140 a. This new mapping is indicated in map reply message 460. Becauseentry 150 a is the only entry in security association cache 150, and itindicates a security association for router 125, not router 130, router120 initiates a process to establish a security association betweenrouter 120 and router 130.

While map cache 140 has been updated to reflect router 130 as the accesspoint for endpoint 110, security association cache 150 lacks an entryfor router 130. Therefore, router 120 not return any value when itaccesses security association cache 150 in order to determine anencryption key for encryption of traffic destined for endpoint 110. Inresponse to not finding a security association for router 130, router120 sends map request message 465 to mapping system 135. Map requestmessage 465 is augmented with metadata used to establish a securityassociation between router 120 and router 130, the router through whichendpoint 110 now accesses network 100. In response to map requestmessage 465, mapping system 135 sends message 470 to the router throughwhich endpoint 110 connects to network 100, in this case, router 130.Message 470 contains data indicative of endpoint 110, indicative ofrouter 120 (i.e., the router that requests the mapping), and indicativeof the key that will be used to encrypt traffic between router 120 and130.

Based upon message 470, router 130 will update its security associationcache 475 to include data indicative of the encryption key and router120. This data in security association cache 475 will permit router 125to decrypt traffic received from router 120 and also encrypt trafficsent to router 120. Router 130 also sends message 480 to router 120.Contained within message 480 is data that enables router 120 to populatesecurity association cache 150 with the security association for router130, as illustrated in entry 150 b. Specifically, message 480 includesdata indicative of the key provided by mapping system 135 that willenable routers 120 and 130 to encrypt and decrypt traffic sent betweenthe two routers. With security association cache 150 populated toinclude entry 150 b, router 120 is enabled to send encrypted trafficthrough network 100 to endpoint 110.

A process like that illustrated in FIG. 4 may also be utilized toprovide the initial mapping for endpoint 110 to router 120. For example,in response to receiving traffic addressed to endpoint 110 from endpoint105, and not finding an entry associated with endpoint 110 in map cache140, router 120 will send map request message 455 that is configured tocause mapping system 135 to respond directly to router 120 with mapreply message 460. As illustrated in FIG. 4, endpoint 110 accessesnetwork 100 via router 130. Based upon map reply message 460, router 120will update map cache 140 to indicate the mapping between endpoint 110and router 130. If there is no security association in securityassociation cache 150 associated with endpoint 130, router 120 initiatesa process to establish a security association between router 120 androuter 130. Router 120 sends map request message 465 to mapping system135. Map request message 465 is augmented with metadata used toestablish a security association between router 120 and router 130, therouter through which endpoint 110 accesses network 130. In response tomap request message 465, mapping system 135 sends message 470 to therouter through which endpoint 110 connects to network 100, in this case,router 130. Message 470 contains data indicative of endpoint 110,indicative of router 120 (i.e., the router that requests the mapping),and indicative of the key that will be used to encrypt traffic betweenrouter 120 and 130. The process will then follow that described above sothat both router 120 and 130 may update their respective securityassociation caches 140 and 475 to permit the transmission of encryptedtraffic between endpoint 105 and endpoint 110.

With reference made to FIG. 5, depicted therein is network 100 at somepoint in time subsequent to that shown in FIG. 4. As shown in FIG. 5,two additional endpoints 505 and 510 now access network 100. Endpoint505 accesses network 100 through router 130, while endpoint 510 accessesnetwork 100 through router 125. Security association cache 150 includesa security association for router 125 in entry 150 a, populatedaccording to the process as illustrated in FIG. 1, and includes asecurity association for router 130 in entry 150 b, populated accordingto the process as illustrated in FIG. 1. Therefore, when traffic is sentfrom endpoint 105 to either of endpoints 505 or 510, there is no need toestablish security association for the routers through which theseendpoints access network 100. Specifically, when endpoint 105 sendstraffic to endpoint 505, router 120 will send map request message 555 tomapping system 135. Mapping system 135 replies with map reply message560 that indicates the mapping between endpoint 505 and router 130. Whenrouter 120 accesses security association cache 150 to retrieve thesecurity association for traffic sent between router 120 and 130, entry150 b will be returned. Accordingly, router 120 will be able to encryptand transmit traffic through network 100 to router 130 withoutreestablishing a new security association between router 120 and router130. Instead, router 120 may reuse the security association previouslyestablished in the process illustrated in FIG. 4 that initiallypopulated entry 150 b.

Similarly, when endpoint 105 sends traffic to endpoint 510, router 120will send map request message 565 to mapping system 135. Mapping system135 replies with map reply message 570 that indicates the mappingbetween endpoint 510 and router 125. When router 120 accesses securityassociation cache 150 to retrieve the security association for trafficsent between router 120 and 125, entry 150 a will be returned.Accordingly, router 120 will be able to encrypt and transmit trafficthrough network 100 to router 125 without reestablishing a securityassociation between router 120 and router 125. Instead, router 120 mayreuse the security association previously established in the processillustrated in FIG. 1 that initially populated entry 150 a.

With reference now made to FIG. 6, depicted therein are processes viawhich map cache 140 and security association cache 150 may beindependently refreshed or updated, independently from traffic sentbetween endpoints 105, 110, 505 and 510, and after different intervalsof time for the respective caches. For example, router 120 may beconfigured to refresh or delete entries 140 a and 140 b of map cacheafter a predetermined duration or period of time. For example, if entry140 a has been present in map cache 140 for a certain duration, router120 may update the entry or delete the entry depending on how recentlytraffic has been sent from router 120 to the endpoint associated withthe entry. To update entry 140 a, router 120 will send map requestmessage 655 to mapping system 135, and mapping system 135 will replywith map reply message 660 providing an updated mapping for endpoint110. Router 120 may then access security association cache 150 to ensurethat there is a security association for the router indicated in mapreply message 660. If the there is no security association in securityassociation cache 150 corresponding to the endpoint indicated in mapreply message 660, router 120 may initiate a process like thatillustrated in FIGS. 1 and/or 4 to determine a mapping association forthe router indicated in map reply message 660.

Router 120 may also independently clear or refresh the entries in thesecurity association cache 150. For example, after a predeterminedduration or period of time, router 120 may determine that one or moreentries in security association cache 150 has not been used for trafficsent through network 100. Any entry that goes unused for a certainduration or period of time may be cleared from the cache. According toother examples, entries in security association cache 150 may be updatedto ensure that the keys used for the encryption are not compromised.Accordingly, even if such entries have been recently used, router 120may refresh the key associated with the entry to ensure that the key isnot compromised. To update the security association for entry 150 b,router 120 will send map request message 665 to mapping system 135. Maprequest message 665 is augmented with metadata used to establish asecurity association between router 120 and router 130. In response tomap request message 665, mapping system 135 sends message 670 to therouter through which endpoint 110 connects to network 100, in this case,router 130. Message 670 contains data indicative of endpoint 110,indicative of router 120 (i.e., the router that requests the mapping),and indicative of a new key that will be used to encrypt traffic betweenrouter 120 and 130 and that will replace the previously used key.

Based upon message 670, router 130 will update its security associationcache 475 to include data indicative of the new encryption key forrouter 120. Router 130 also sends message 680 to router 120. Containedwithin message 680 is data that enables router 120 to refresh securityassociation cache 150 entry 150 b with the new key for router 130.

With reference now made to FIG. 7, depicted therein is network 100 inwhich router 120 and mapping system 135 implement a process todistribute keys for multicast addressed traffic sent from endpoint 105via router 120 and destined for both of endpoints 110 and 710. Theprocess as illustrated in FIG. 7 is, according to example embodiments,not a group key negotiation mechanism. Instead, the security association(i.e., the key used to encrypt traffic) meant for a given multicastgroup is shared with all the routers that are members of that multicastgroup. However, the key is used only to encrypt the multicast trafficsent to that multicast group, and it is not used to encrypt unicasttraffic. An attacker that compromises a key for a given multicast group,will be able to decrypt only the multicast traffic that is sent to thatspecific group, but not any other traffic sent to the other members ofthe multicast group, including multicast traffic that belongs to othermulticast groups that do not use the compromised key.

The process illustrated in FIG. 7 begins when endpoint 105 generates apacket addressed to a multicast address. According to the example ofFIG. 7, the multicast address indicates a multicast group that includesendpoint 110 and endpoint 710. Upon receipt of the multicast-addressedpacket, router 120 accesses both map cache 140 and security associationcache 150 to determine if they contain a mapping and/or key fortransmission of traffic utilizing the indicated multicast address. Ifeither cache lacks the appropriate entry, router 120 sends map requestmessage 755 to mapping system 135. Map request message 755 is augmentedwith metadata used to establish a security association between router120 and whichever router is identified by mapping system 135 as beingassociated with the indicated multicast address. Upon receipt of message760, mapping system 135 establishes the security association for themulticast address and sends map reply messages 760, 765 and 770. Mapreply message 760 provides the appropriate mapping between the multicastaddress and routers 125 and 130, as well as the key used to encrypt thetraffic sent to the multicast address. The data contained in map replymessage 760 allows router 120 to populate entries 150 c and 150 d ofsecurity associate cache 150 and entries 140 d and 140 e of map cache140. As illustrated in security association cache 150, when used withmulticast traffic, map cache 150 may include additional information,such as multicast address identifier 152. Because the key associatedwith the multicast address is the key used only to encrypt the multicasttraffic sent to that multicast group, the multicast identifier 152 isused to distinguish between entry 150 a, which includes the key forunicast traffic to router 125, and entry 150 c, which is used for aparticular multicast group that includes router 125. Similarly,multicast identifier 152 is used to distinguish between entry 150 b,which includes the key for unicast traffic to router 130, and entry 150d, which is used for a particular multicast group that includes router130.

Map reply messages 765 and 770 provide endpoints 125 and 130 with themapping between the multicast address and router 120 and the key used toencrypt traffic sent according to the multicast address.

With reference now made to FIG. 8, depicted therein is an exampleembodiment in which the techniques described herein are applied tonetwork environments that send traffic across multiple domains orvirtual network instances. As illustrated in FIG. 8, there are two SDNnetworks, network 100 and network 800. For example, network 100 andnetwork 800 may be implemented through separate VXLANs, and therefore,are identified using separate VNIs. Each of networks 100 and 800 has itsown mapping system, mapping systems 135 and 886, respectively, whichprovide mappings between routers within each network. Also illustratedin FIG. 8 is mapping system 880. Mapping system 880 provides mapping forborder routers between separate network instances. Specifically, mappingsystem 880 provides a mapping between border router 125 and network 100and also between border router 820 and network 800. Mapping system 880enables mappings to be determined that permit traffic to be sent betweenendpoints in different network instances. As will be described withreference to FIG. 8, mapping system 880 enables traffic to betransmitted from endpoint 105 in network 100 to endpoint 810 in network800.

According to the example of FIG. 8, router 120 receives trafficaddressed to endpoint 810 from endpoint 105. The process illustrated inFIG. 8 begins in a manner similar to that of FIGS. 1, 3 and 4. Inresponse to receiving traffic from endpoint 105, router 120 accesses mapcache 140 to determine if there is a mapping for endpoint 810 in mapcache 140. In response to not finding an entry associated with endpoint810 in map cache 140, router 120 will send map request message 855 tomapping system 135. Mapping system 135 determines that endpoint 810 isarranged outside of network 100 in network 800. Mapping system 135 alsodetermines that router 125 connects network 100 to network 800. Inresponse to this determination, mapping system sends message 865 torouter 125, in which mapping system 135 has included the VNI for network800.

Based upon message 865, router 125 may send message 875 to router 120.Message 875 enables a security association to be established betweenrouter 120 and router 125 and enables router 120 to populate map cache140 and security association cache 150, thereby enabling router 120 tosend the traffic generated by endpoint 105 as encrypted traffic withinnetwork 100 to router 125.

In addition to message 865, router 125 also sends message 870 to mappingsystem 880. The transmission of message 870 will result in message 872being sent from mapping system 880 to router 820, and message 874 beingsent to router 125. These messages establish a security associationbetween router 125 and router 820, as well as population of mapping andsecurity association caches at router 125 through a process analogous tothat the described herein with reference to messages 855, 865 and 875.Similarly, router 820 may send message 890 to mapping system 880. Thetransmission of message 890 will result in message 892 being sent frommapping system 886 to router 825, and message 894 being sent to router820. These messages establish a security association between router 820and router 825, as well as population of mapping and securityassociation caches at router 820 through a process analogous to that thedescribed herein with reference to messages 855, 865 and 875. With themappings and security associations established between routers 120 and125, routers 125 and 820, and 820 and 825, traffic may be sent fromendpoint 105 to endpoint 810. Furthermore, the transmission of thistraffic may be sent using different encryption keys for transmissionwithin network 100, between networks 100 and 800, and in network 800,respectively. Furthermore, each of these mappings and securityassociations may be updated using processes as described above withreference to FIGS. 1-7.

With reference now made to FIG. 9, depicted therein is a flowchart 900illustrating a first example process for providing the location mappingand security association decoupling techniques as described herein. Theprocess starts in operation 905 in which a first map request message issent via a network from a source network device to a mapping networkdevice to determine a mapping between a destination network device and adestination endpoint device, and a security association between thesource network device and the destination network device. An example ofsuch an operation may be the sending of one or more of message 155 inFIG. 1, message 355 in FIG. 3, message 455 in FIG. 4, message 555 inFIG. 5, message 755 in FIG. 7 and/or message 855 in FIG. 8. Additionalexamples include messages 870 and 890 as discussed above with referenceto FIG. 8.

In operation 910, a first response message is received at the sourcenetwork device from the destination network device. The first responsemessage includes data indicative of a mapping between the destinationnetwork device and the destination endpoint device, and data indicativeof a security association between the source network device and thedestination network device. Examples of such a message include themessages received at router 120 as discussed above with reference toFIGS. 1 and 3-8 that enable router 125 to populate its map cache andsecurity association cache. Further examples may include messages 874and 892 as discussed above with reference to FIG. 8.

In operation 915 data indicative of the mapping between the destinationnetwork device and the destination endpoint device and the dataindicative of the security association between the source network deviceand the destination are stored at the source network device. Examples ofoperation 915 may include the population of map caches and securityassociation caches as described above with reference to FIGS. 1-8.

In operation 920, a second map request message is sent from the sourcenetwork device to the mapping network device to update the stored dataindicative of the mapping between the destination network device and thedestination endpoint device or the stored data indicative of thesecurity association between the source network device and thedestination network device. Examples of operation 920 include thesending of message 455 or message 655, described above reference toFIGS. 4 and 6, respectively. Other examples of operation 920 include thesending of message 355, described above with reference to FIG. 3. Inoperation 925, and in response to the second map request message, asecond response message is received at the source network device. Thesecond response message includes a response to the second map requestmessage. Examples of operation 925 include the receipt of messages 460and 660, as described above with reference to FIGS. 4 and 6,respectively, which enable a router to update a map cache independentlyfrom the security association cache. Other examples include message 360of FIG. 3 that enables a router to update the security association cacheindependently from the map cache.

Finally, in operation 930, one of the stored data indicative of themapping between the destination network device and the destinationendpoint device or the stored data indicative of the securityassociation between the source network device and the destinationnetwork device is updated independently from the other of the storeddata indicative of the mapping between the destination network deviceand the destination endpoint device or the stored data indicative of thesecurity association between the source network device and thedestination network device.

With reference now made to FIG. 10, depicted therein is a flowchart 1000illustrating a second example process for providing the location mappingand security association decoupling techniques as described herein. Theprocess starts in operation 1005, which is similar to operation 905 ofFIG. 9, in which a first map request message is sent via a network froma source network device to a mapping network device to determine amapping between a destination network device and a destination endpointdevice and a security association between the source network device andthe destination network device. An example of such an operation may bethe sending of one or more of message 155 in FIG. 1, message 355 in FIG.3, message 455 in FIG. 4, message 555 in FIG. 5, message 755 in FIG. 7and/or message 855 in FIG. 8. Additional examples include messages 870and 890 as discussed above with reference to FIG. 8.

In operation 1010, a response message is received at the source networkdevice. The response message includes data indicative of the mappingbetween the destination network device and the destination endpointdevice, and data indicative of the security association between thesource network device and the destination network device. As withoperation 910 of FIG. 9, examples of such a message include the messagesreceived at router 120 as discussed above with reference to FIGS. 1 and3-8 that enable router 125 to populate its map cache and securityassociation cache. Further examples may include messages 874 and 892 asdiscussed above with reference to FIG. 8.

In operation 1015, the data indicative of the mapping between thedestination network device and the destination endpoint device and thedata indicative of the security association between the source networkdevice and the destination network device is stored at the sourcenetwork device. Examples of operation 1015 may include the population ofmap caches and security association caches as described above withreference to FIGS. 1-8.

In operation 1020, the data indicative of the mapping between thedestination network device and destination endpoint device is updatedafter a first duration. Examples of operation 1020 include the updatingof map caches as described above with reference to FIGS. 4 and 6.

In operation 1025, the data indicative of the security associationbetween the source network device and the destination network device isupdated after a second duration different than the first duration.Examples of operation 1025 include the updating of security associationcaches as described above with reference to FIG. 6. Accordingly, becausethe map cache and security association cache are updated after differentdurations, the caches are independently updated.

With reference now made to FIG. 11, depicted therein is a computersystem 1101 upon which the embodiments presented may be implemented. Thecomputer system 1101 may be programmed to implement a computer baseddevice, such as the routers, mapping systems, and other network devicesdescribed above with reference to FIGS. 1-8. The computer system 1101includes a bus 1102 or other communication mechanism for communicatinginformation, and a processor 1103 coupled with the bus 1102 forprocessing the information. While the figure shows a single block 1103for a processor, it should be understood that the processors 1103represent a plurality of processing cores, each of which can performseparate processing. The computer system 1101 also includes a mainmemory 1104, such as a random access memory (RAM) or other dynamicstorage device (e.g., dynamic RAM (DRAM), static RAM (SRAM), andsynchronous DRAM (SD RAM)), coupled to the bus 1102 for storinginformation and instructions to be executed by processor 1103. Inaddition, the main memory 1104 may be used for storing temporaryvariables or other intermediate information during the execution ofinstructions by the processor 1103.

The computer system 1101 further includes a read only memory (ROM) 1105or other static storage device (e.g., programmable ROM (PROM), erasablePROM (EPROM), and electrically erasable PROM (EEPROM)) coupled to thebus 1102 for storing static information and instructions for theprocessor 1103.

The computer system 1101 also includes a disk controller 1106 coupled tothe bus 1102 to control one or more storage devices for storinginformation and instructions, such as a magnetic hard disk 1107, and aremovable media drive 1108 (e.g., floppy disk drive, read-only compactdisc drive, read/write compact disc drive, compact disc jukebox, tapedrive, and removable magneto-optical drive). The storage devices may beadded to the computer system 1101 using an appropriate device interface(e.g., small computer system interface (SCSI), integrated deviceelectronics (IDE), enhanced-IDE (E-IDE), direct memory access (DMA), orultra-DMA).

The computer system 1101 may also include special purpose logic devices(e.g., application specific integrated circuits (ASICs)) or configurablelogic devices (e.g., simple programmable logic devices (SPLDs), complexprogrammable logic devices (CPLDs), and field programmable gate arrays(FPGAs)), that, in addition to microprocessors and digital signalprocessors may individually, or collectively, are types of processingcircuitry. The processing circuitry may be located in one device ordistributed across multiple devices.

The computer system 1101 may also include a display controller 1109coupled to the bus 1102 to control a display 1110, Liquid CrystalDisplay (LCD) or other now known or hereinafter developed displaytechnologies, for displaying information to a computer user. Thecomputer system 1101 includes input devices, such as a keyboard 1111 anda pointing device 1112, for interacting with a computer user andproviding information to the processor 1103. The pointing device 1112,for example, may be a mouse, a trackball, or a pointing stick forcommunicating direction information and command selections to theprocessor 1103 and for controlling cursor movement on the display 1110.In addition, a printer may provide printed listings of data storedand/or generated by the computer system 1101.

The computer system 1101 performs a portion or all of the processingsteps of the process in response to the processor 1103 executing one ormore sequences of one or more instructions contained in a memory, suchas the main memory 1104. Such instructions may be read into the mainmemory 1104 from another computer readable medium, such as a hard disk1107 or a removable media drive 1108. One or more processors in amulti-processing arrangement may also be employed to execute thesequences of instructions contained in main memory 1104. In alternativeembodiments, hard-wired circuitry may be used in place of or incombination with software instructions. Thus, embodiments are notlimited to any specific combination of hardware circuitry and software.

As stated above, the computer system 1101 includes at least one computerreadable medium or memory for holding instructions programmed accordingto the embodiments presented, for containing data structures, tables,records, or other data described herein. Examples of computer readablemedia are compact discs, hard disks, floppy disks, tape, magneto-opticaldisks, PROMs (EPROM, EEPROM, flash EPROM), DRAM, SRAM, SD RAM, or anyother magnetic medium, compact discs (e.g., CD-ROM), or any otheroptical medium, punch cards, paper tape, or other physical medium withpatterns of holes, or any other medium from which a computer can read.

Stored on any one or on a combination of non-transitory computerreadable storage media, embodiments presented herein include softwarefor controlling the computer system 1101, for driving a device ordevices for implementing the process, and for enabling the computersystem 1101 to interact with a human user. Such software may include,but is not limited to, device drivers, operating systems, developmenttools, and applications software. Such computer readable storage mediafurther includes a computer program product for performing all or aportion (if processing is distributed) of the processing presentedherein.

The computer code devices may be any interpretable or executable codemechanism, including but not limited to scripts, interpretable programs,dynamic link libraries (DLLs), Java classes, and complete executableprograms. Moreover, parts of the processing may be distributed forbetter performance, reliability, and/or cost.

The computer system 1101 also includes a communication interface 1113coupled to the bus 1102. The communication interface 1113 provides atwo-way data communication coupling to a network link 1114 that isconnected to, for example, a local area network (LAN) 1115, or toanother communications network 1116 such as the Internet. For example,the communication interface 1113 may be a wired or wireless networkinterface card to attach to any packet switched (wired or wireless) LAN.As another example, the communication interface 1113 may be anasymmetrical digital subscriber line (ADSL) card, an integrated servicesdigital network (ISDN) card or a modem to provide a data communicationconnection to a corresponding type of communications line. Wirelesslinks may also be implemented. In any such implementation, thecommunication interface 1113 sends and receives electrical,electromagnetic or optical signals that carry digital data streamsrepresenting various types of information.

The network link 1114 typically provides data communication through oneor more networks to other data devices. For example, the network link1114 may provide a connection to another computer through a local areanetwork 1115 (e.g., a LAN) or through equipment operated by a serviceprovider, which provides communication services through a communicationsnetwork 1116. The local network 1114 and the communications network 1116use, for example, electrical, electromagnetic, or optical signals thatcarry digital data streams, and the associated physical layer (e.g., CAT5 cable, coaxial cable, optical fiber, etc.). The signals through thevarious networks and the signals on the network link 1114 and throughthe communication interface 1113, which carry the digital data to andfrom the computer system 1101 maybe implemented in baseband signals, orcarrier wave based signals. The baseband signals convey the digital dataas unmodulated electrical pulses that are descriptive of a stream ofdigital data bits, where the term “bits” is to be construed broadly tomean symbol, where each symbol conveys at least one or more informationbits. The digital data may also be used to modulate a carrier wave, suchas with amplitude, phase and/or frequency shift keyed signals that arepropagated over a conductive media, or transmitted as electromagneticwaves through a propagation medium. The computer system 1101 cantransmit and receive data, including program code, through thenetwork(s) 1115 and 1116, the network link 1114 and the communicationinterface 1113. Moreover, the network link 1114 may provide a connectionthrough a LAN 1115 to a mobile device 1117 such as a personal digitalassistant (PDA) laptop computer, or cellular telephone.

In summary, provided for herein are enhancements to the LISP map-cacheand resolution mechanisms that allow security associations to becalculated independently of the LISP mappings, yet still using the LISPcontrol plane infrastructure. In the proposed method, a separateresolution flow and a separate cache are maintained in order to optimizethe use of cryptographic resources in mobility scenarios where roamingevents may or may not require a re-calculation of cryptographic keymaterial. The mechanism allows pairwise unidirectional key calculationin LISP implementations. The proposed mechanism also addresses therequirements for encryption in conjunction with multicast andextraneting.

Also provided for herein is a method comprising: sending, via a network,a first map request message from a source network device to a mappingnetwork device to determine a mapping between a destination networkdevice and a destination endpoint device, and a security associationbetween the source network device and the destination network device;receiving, at the source network device from the destination networkdevice, a first response message comprising data indicative of themapping between the destination network device and the destinationendpoint device, and data indicative of the security association betweenthe source network device and the destination network device; storing,at the source network device, stored data indicative of the mappingbetween the destination network device and the destination endpointdevice, and stored data indicative of the security association betweenthe source network device and the destination network device; sending asecond map request message from the source network device to update thestored data indicative of the mapping between the destination networkdevice and the destination endpoint device or the stored data indicativeof the security association between the source network device and thedestination network device; receiving, at the source network device, asecond response message in response to the second map request message;and updating, in response to receiving the response to the second maprequest message, one of the stored data indicative of the mappingbetween the destination network device and the destination endpointdevice or the stored data indicative of the security association betweenthe source network device and the destination network deviceindependently from another of the stored data indicative of the mappingbetween the destination network device and the destination endpointdevice or the stored data indicative of the security association betweenthe source network device and the destination network device.

A second method is also provided comprising: sending, via a network, afirst map request message from a source network device to a mappingnetwork device to determine a mapping between a destination networkdevice and a destination endpoint device and a security associationbetween the source network device and the destination network device;receiving, at the source network device, a response message comprisingdata indicative of the mapping between the destination network deviceand the destination endpoint device, and data indicative of the securityassociation between the source network device and the destinationnetwork device; storing, at the source network device, the dataindicative of the mapping between the destination network device and thedestination endpoint device, and the data indicative of the securityassociation between the source network device and the destinationnetwork device; updating the data indicative of the mapping between thedestination network device and destination endpoint device after a firstduration; and updating the data indicative of the security associationbetween the source network device and the destination network deviceafter a second duration different than the first duration.

Also provided by the present disclosure are apparatuses configured toimplement operations analogous to the methods described above. Forexample, an apparatus is provided that includes a network interface, amemory and one or more processors. The processor is configured to: send,via the network interface, a first map request message from theapparatus to a mapping network device to determine a mapping between adestination network device and a destination endpoint device and asecurity association between the apparatus and the destination networkdevice; receive, via the network interface, a response messagecomprising data indicative of the mapping between the destinationnetwork device and the destination endpoint device, and data indicativeof the security association between the apparatus and the destinationnetwork device; store, in the memory, the data indicative of the mappingbetween the destination network device and the destination endpointdevice, and the data indicative of the security association between theapparatus and the destination network device; update the data indicativeof the mapping between the destination network device and thedestination endpoint device after a first duration; and update the dataindicative of the security association between the apparatus and thedestination network device after a second duration different than thefirst duration.

A second example apparatus is provided that includes a networkinterface, a memory and a processor. The processor is configured to:send, via the network interface, a first map request message from theapparatus to a mapping network device to determine a mapping between adestination network device and a destination endpoint device, and asecurity association between the apparatus and the destination networkdevice; receive, via the network interface from the destination networkdevice, a first response message comprising data indicative of themapping between the destination network device and the destinationendpoint device, and data indicative of the security association betweenthe apparatus and the destination network device; store, in the memory,stored data indicative of the mapping between the destination networkdevice and the destination endpoint device and stored data indicative ofthe security association between the apparatus and the destinationnetwork device; send, via the network interface, a second map requestmessage from the apparatus to update the stored data indicative of themapping between the destination network device and the destinationendpoint device or the stored data indicative of the securityassociation between the apparatus and the destination network device;receive, via the network interface, a second response message inresponse to the second map request message; and update one of the storeddata indicative of the mapping between the destination network deviceand the destination endpoint device or the stored data indicative of thesecurity association between the apparatus and the destination networkdevice independently from another of the stored data indicative of themapping between the destination network device and the destinationendpoint device or the stored data indicative of the securityassociation between the apparatus and the destination network device.

Also provided for herein are computer readable media encoded withinstructions. The instructions, when executed by a process, areconfigured to implement operations to carry out the techniques describedherein. For example, provided for herein is a computer readable mediaencoded with instructions, wherein the instructions, when executed by aprocessor, are operable to: send, via a network, a first map requestmessage from a source network device to a mapping network device todetermine a mapping between a destination network device and adestination endpoint device, and a security association between thesource network device and the destination network device; receive, atthe source network device from the destination network device, a firstresponse message comprising data indicative of the mapping between thedestination network device and the destination endpoint device, and dataindicative of the security association between the source network deviceand the destination network device; store, at the source network device,stored data indicative of the mapping between the destination networkdevice and the destination endpoint device and stored data indicative ofthe security association between the source network device and thedestination network device; send a second map request message from thesource network device to update the stored data indicative of themapping between the destination network device and the destinationendpoint device or the stored data indicative of the securityassociation between the source network device and the destinationnetwork device; receiving, at the source network device, a secondresponse message in response to the second map request message; andupdate one of the stored data indicative of the mapping between thedestination network device and the destination endpoint device or thestored data indicative of the security association between the sourcenetwork device and the destination network device independently fromanother of the stored data indicative of the mapping between thedestination network device and the destination endpoint device or thestored data indicative of the security association between the sourcenetwork device and the destination network device.

As a further example, also provided for herein is a second examplecomputer readable media encoded with instructions, wherein theinstructions, when executed by a processor, are operable to send, via anetwork, a first map request message from a source network device to amapping network device to determine a mapping between a destinationnetwork device and a destination endpoint device and a securityassociation between the source network device and the destinationnetwork device; receive, at the source network device, a responsemessage comprising data indicative of the mapping between thedestination network device and the destination endpoint device, and dataindicative of the security association between the source network deviceand the destination network device; store, at the source network device,the data indicative of the mapping between the destination networkdevice and the destination endpoint device, and the data indicative ofthe security association between the source network device and thedestination network device; update the data indicative of the mappingbetween the destination network device and destination endpoint deviceafter a first duration; and update the data indicative of the securityassociation between the source network device and the destinationnetwork device after a second duration different than the firstduration.

The above description is intended by way of example only. Although thetechniques are illustrated and described herein as embodied in one ormore specific examples, it is nevertheless not intended to be limited tothe details shown, since various modifications and structural changesmay be made within the scope and range of equivalents of the claims.

What is claimed is:
 1. A method comprising: sending, via a network, afirst map request message from a source network device to a mappingnetwork device to determine a mapping between a destination networkdevice and a destination endpoint device, and a security associationbetween the source network device and the destination network device;receiving, at the source network device from the destination networkdevice, a first response message comprising data indicative of themapping between the destination network device and the destinationendpoint device, and data indicative of the security association betweenthe source network device and the destination network device; storing,at the source network device, stored data indicative of the mappingbetween the destination network device and the destination endpointdevice, and stored data indicative of the security association betweenthe source network device and the destination network device; sending asecond map request message from the source network device to update thestored data indicative of the mapping between the destination networkdevice and the destination endpoint device or the stored data indicativeof the security association between the source network device and thedestination network device; receiving, at the source network device, asecond response message in response to the second map request message;and updating, in response to receiving the response to the second maprequest message, one of the stored data indicative of the mappingbetween the destination network device and the destination endpointdevice or the stored data indicative of the security association betweenthe source network device and the destination network deviceindependently from another of the stored data indicative of the mappingbetween the destination network device and the destination endpointdevice or the stored data indicative of the security association betweenthe source network device and the destination network device.
 2. Themethod of claim 1, wherein sending the second map request messagecomprises sending the second map request message from the source networkdevice to the mapping network device to update the data indicative ofthe security association between the source network device and thedestination network device; and wherein updating the one of the storeddata indicative of the mapping between the destination network deviceand the destination endpoint device or the stored data indicative of thesecurity association between the source network device and thedestination network device comprises updating the stored data indicativeof the security association between the source network device and thedestination network device independently from the stored data indicativeof the mapping between the destination network device and thedestination endpoint device.
 3. The method of claim 2, wherein receivingthe second response message in response to the second map requestmessage comprises receiving data indicative of a security associationbetween the destination network device and a second destination networkdevice.
 4. The method of claim 1, wherein sending the second map requestmessage comprises sending the second map request message from the sourcenetwork device to the mapping network device to update the dataindicative of the mapping between the destination network device and thedestination endpoint device; and wherein updating the one of the storeddata indicative of the mapping between the destination network deviceand the destination endpoint device or the stored data indicative of thesecurity association between the source network device and thedestination network device comprises updating the data indicative of themapping between the destination network device and the destinationendpoint device independently from the stored data indicative of thesecurity association between the source network device and thedestination network device.
 5. The method of claim 4, wherein receivingthe second response message in response to the second map requestmessage comprises receiving data indicative of a security associationbetween the destination endpoint device and the destination networkdevice.
 6. The method of claim 1, wherein the data indicative of thesecurity association between the source network device and thedestination network device comprises an encryption key.
 7. The method ofclaim 1, wherein receiving the first response message comprisesreceiving, from the mapping network device, an encryption key forencrypting traffic sent to a multicast group.
 8. The method of claim 1,wherein receiving the first response message comprises receiving thefirst response message from the destination network device.
 9. Themethod of claim 1, wherein storing the data indicative of the mappingbetween the destination network device and the destination endpointdevice, and the data indicative of the security association between thesource network device and the destination network device comprises:storing the data indicative of the mapping between the destinationnetwork device and the destination endpoint device in a first cache; andstoring the data indicative of the security association between thesource network device and the destination network device in a secondcache.
 10. A method comprising: sending, via a network, a first maprequest message from a source network device to a mapping network deviceto determine a mapping between a destination network device and adestination endpoint device and a security association between thesource network device and the destination network device; receiving, atthe source network device, a response message comprising data indicativeof the mapping between the destination network device and thedestination endpoint device, and data indicative of the securityassociation between the source network device and the destinationnetwork device; storing, at the source network device, the dataindicative of the mapping between the destination network device and thedestination endpoint device, and the data indicative of the securityassociation between the source network device and the destinationnetwork device; updating the data indicative of the mapping between thedestination network device and the destination endpoint device after afirst duration; and updating the data indicative of the securityassociation between the source network device and the destinationnetwork device after a second duration different than the firstduration.
 11. The method of claim 10, wherein receiving the responsemessage comprises receiving the response message from the destinationnetwork device.
 12. The method of claim 10, wherein updating the dataindicative of the mapping between the destination network device anddestination endpoint device after the first duration comprises: sendinga second map request message from the source network device to themapping network device; and receiving a second response message from themapping network device.
 13. The method of claim 12, wherein the secondresponse message comprises data indicative of a second destinationnetwork device.
 14. The method of claim 10, wherein updating the dataindicative of the security association between the source network deviceand the destination network device after the second duration comprises:sending a second map request message from the source network device tothe mapping network device; and receiving a second response message froma network device through which the destination endpoint device accessesthe network.
 15. The method of claim 10, wherein receiving the dataindicative of the security association between the source network deviceand the destination network device comprises receiving an encryption keyfor encrypting traffic sent to a multicast group.
 16. An apparatuscomprising: a memory; a network interface configured to transmit andreceive data over a network, and a processor coupled to the networkinterface, wherein the processor is configured to: send, via the networkinterface, a first map request message from the apparatus to a mappingnetwork device to determine a mapping between a destination networkdevice and a destination endpoint device and a security associationbetween the apparatus and the destination network device; receive, viathe network interface, a response message comprising data indicative ofthe mapping between the destination network device and the destinationendpoint device, and data indicative of the security association betweenthe apparatus and the destination network device; store, in the memory,the data indicative of the mapping between the destination networkdevice and the destination endpoint device, and the data indicative ofthe security association between the apparatus and the destinationnetwork device; update the data indicative of the mapping between thedestination network device and the destination endpoint device after afirst duration; and update the data indicative of the securityassociation between the apparatus and the destination network deviceafter a second duration different than the first duration.
 17. Theapparatus of claim 16, wherein the processor is configured to receivethe response message by receiving the response message from thedestination network device.
 18. The apparatus of claim 16, wherein theprocessor is configured to update the data indicative of the mappingbetween the destination network device and destination endpoint deviceafter the first duration by: sending, via the network interface, asecond map request message from the apparatus to the mapping networkdevice; and receiving, via the network interface, a response messagefrom the mapping network device.
 19. The apparatus of claim 16, whereinthe processor is configured to update the data indicative of thesecurity association between the apparatus and the destination networkdevice after the second duration by: sending a second map requestmessage from the apparatus to the mapping network device; and receivinga response message from a network device through which the destinationendpoint device accesses the network.
 20. The apparatus of claim 16,wherein the processor is configured to receive the data indicative ofthe security association between the apparatus and the destinationnetwork device by receiving an encryption key for encrypting trafficsent to a multicast group.